<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi,<div class=""><br class=""><div><blockquote type="cite" class=""><div class="">Le 28 août 2015 à 01:26, Schwartz, Jared <<a href="mailto:Jared.Schwartz@USPTO.GOV" class="">Jared.Schwartz@USPTO.GOV</a>> a écrit :</div><br class="Apple-interchange-newline"><div class=""><div style="margin-top: 0px; margin-bottom: 0px; font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><span style="background-color: rgb(255, 255, 255);" class="">I have made great progress with the Smart Card services tool and our PIV cards. I was able to login to web portals with no issues but I have hit a roadblock and was hoping you could help.</span></div><div style="margin-top: 0px; margin-bottom: 0px; font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></div><div style="margin-top: 0px; margin-bottom: 0px; font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><span style="background-color: rgb(255, 255, 255);" class="">We have our machines connected to an open directory, and would like to login to the account via PIV cards. As a test I used <font face="Inconsolata, monospace" size="3" class=""><span style="line-height: 24px;" class="">sudo sc_auth accept -u administrator -k "PIV" </span></font><font face="Inconsolata, monospace" class=""><span style="line-height: 24px;" class="">and</span></font><font face="Inconsolata, monospace" size="3" class=""><span style="line-height: 24px;" class=""> or </span></font><font face="Inconsolata, monospace" size="3" class=""><span style="line-height: 24px;" class="">$ sudo sc_auth accept -u Alice -h HASH to bind the certificates hash to </span></font><font face="Inconsolata, monospace" class=""><span style="line-height: 24px;" class="">the local administrator account.</span></font></span></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><br class=""></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class="">I verified the hash is set under the local administrator account and then logged out but I never get the "switchover" from password login to PIN on Mac OS 10.10.5. I also tried on a machine that is not connected to the open directory with the same result.</div></div></blockquote><div><br class=""></div><div>Did you enabled the SmartCard sniffer for the login process?</div><div><br class=""></div><div>You’ve to do « sudo security authorizationdb smartcard enable » for that.</div><div><br class=""></div><div>The whole process is described on my blog <a href="http://blog.inig-services.com/archives/1448" class="">http://blog.inig-services.com/archives/1448</a> (it’s in french but many people has successfully used it with Google Translate).</div><br class=""><blockquote type="cite" class=""><div class=""><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class="">After we get past the issue of it not being able login with the PIN, any idea how we setup the hash attribute for our users in open directory?</div></div></blockquote><br class=""></div><div>For that you’ve to use my updated version of sc_auth available in my blog post or github account <a href="https://github.com/ygini/osx_misc/blob/master/sc_auth" class="">https://github.com/ygini/osx_misc/blob/master/sc_auth</a>.</div><div><br class=""></div><div>It will allow you to specify the directory administrator to use when accessing the directory server for modification (so in case of OD, your diradmin account).</div><div><br class=""></div><div>But be aware of something with SmartCards authentication and Open Directory Server.</div><div><br class=""></div><div>First, you will loose Kerberos. So for network ressources like file sharing the user will still have to know it’s own password. In any other setup you will be able to use PKINIT process from Kerberos to obtain a TGT from your KDC via a smartcard based authentication. But with OS X Server, Apple don’t allow us to setup PKINIT. Even if all underlaying services are compatible with it.</div><div><br class=""></div><div>So as soon as you need to authenticate on something not cert based or web based, your user will have to use their password.</div><div><br class=""></div><div>Second, your user will still be able to login with username and password.</div><div><br class=""></div><div>The sc_auth based process extend the login capabilities but don’t restrict it.</div><div><br class=""></div><div>So if you want to lock the workstation for smartcard only login, you won’t be able to do it with OS X Server. For what I know only a Windows server with proper PKINIT setup (and OS X cacloginconfig based smartcard setup) will allow your to go that way.</div><div><br class=""></div><div apple-content-edited="true" class="">
<div style="color: rgb(0, 0, 0); font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Best regards,</div><div class="">Yoann Gini</div></div>
</div>
<br class=""></div></body></html>